AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic...
Transcript of AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic...
![Page 1: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/1.jpg)
AIS ExposedUnderstanding Vulnerabilities & Attacks 2.0
Dr. Marco Balduzzi – @embyteSenior Research Scientist, Trend Micro Research
(Kyle Wilhoit and Alessandro Pasta)[ – DVD VERSION – ]
![Page 2: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/2.jpg)
Outline
● Balduzzi et al. , October 2013, HITB KUL ++
![Page 3: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/3.jpg)
3
Automatic Identification System
● AIS, Automatic Identification System● Tracking system for vessels
– Ship-to-ship communication– From/to port authorities (VTS)
● Some applications:– Maritime security (piracy)– Collision avoidance
– Search and rescue– Accident investigation
– Binary messages, e.g. weather forecasting
![Page 4: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/4.jpg)
4
Required Installation
● Since 2002● Introduced to supplement existing safety
systems, e.g. traditional radars● Required on:
– ANY International ship with gross tonnage of 300+
– ALL passenger ships regardless of size
● Estimated 400,000 installations ● Expected over a million
![Page 5: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/5.jpg)
5
![Page 6: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/6.jpg)
6
Data Exchange
● AIS messages are exchanged in two forms:● Radio-frequency (VHF) – 162 ± 0.25 MHz
● Online AIS Providers
![Page 7: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/7.jpg)
7
Example
![Page 8: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/8.jpg)
8
Online AIS Providers
● Collect and visualize vessels information
● Communicating via:– Mobile Apps
– Free/Commercial Software
– Radio-Frequency Gateways (deployed regionally)
![Page 9: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/9.jpg)
9
Identified Threats
● Grouped in two macro categories
● 1. Implementation-specific = Online Providers
[Software]
VS
● 2. Protocol-specific = AIS Transponders
[RF / VHF]
![Page 10: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/10.jpg)
10
AIS Application Layer
● AIVDM messages, e.g.:– Position reports
– Static reports
– Management (channel...)
– Safety-related (SART)
● NMEA sentences , as GPS!AIVDM,1,1,,B,177KQJ5000G?tO`K>RA1wUbN0TKH,0*5C
TAG, FRAG_#, FRAG_ID, N/A, CHANNEL, PAYLOAD, PAD, CRC
![Page 11: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/11.jpg)
11
AIVDM Encoder
![Page 12: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/12.jpg)
12
Example
● Ship involved in Military Operations● MMSI 247 320162 (Italy)
![Page 13: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/13.jpg)
13
Spoofing – Online Providers
● Ships or Aids-to-Navigation
![Page 14: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/14.jpg)
14
US to North Korea... What?!
● Wargames (1983) or cyberwar?
![Page 15: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/15.jpg)
15
Programming a malicious route
● Tool to make a ship follow a path over time● Programmed with Google Earth's KML/KMZ
information
![Page 16: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/16.jpg)
16
Hijacking (Rouge Gateway)
![Page 17: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/17.jpg)
17
Example
● “Move” a real ship – Eleanor Gordon
![Page 18: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/18.jpg)
18
Popping Up in Dallas?
![Page 19: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/19.jpg)
19
Radio-Frequency (VHF) Threats
![Page 20: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/20.jpg)
20
AIS Communication over the Air
● Protocol designed in a “hardware-epoch”● Hacking was difficult and cost expensive● No authentication, no integrity check
● 2014● Craft AIS signals?● Let's do it via software!
![Page 21: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/21.jpg)
21
SDR – Software Defined Radio
● Many applications, e.g. Radio / TV receivers, 20 USD
● Radio amateurs, SDR transmitters
● Reduced costs● Reduced complexity● Increased flexibility
● Accessible by many, pirates included!
![Page 22: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/22.jpg)
22
Our Testing Lab
![Page 23: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/23.jpg)
23
AIS Transmitter● Built & implemented a software-based AIS transmitter● GnuRadio, http://gnuradio.org/
● Custom block: AIS Frame Builder [Ref, HITB KUL 2013]
![Page 24: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/24.jpg)
24
RF Spoofing
● Radio-frequency (VHF) version of spoofing ● Setup : [Attacker] – [Victim]● Amplifier : 20+ km (modified radio)
![Page 25: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/25.jpg)
25
Victim's Console
![Page 26: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/26.jpg)
26
Injecting into legit AIS gateways
![Page 27: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/27.jpg)
27
Man-in-water Spoofing
● Fake a "man-in-the-water" distress beacon ● Trigger SART (S.O.S.) alerts● Visually and acoustically● Lure a victim vessel into navigating to a hostile
and attacker-controller sea space● Mandatory by legislation
![Page 28: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/28.jpg)
28
Man-in-water Spoofing
![Page 29: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/29.jpg)
29
Frequency Hopping (DoS++)
● Disable AIS transponders● Switch to non-default frequency (RX and TX)● Single or multiple target(s)
● Program a desired targeted region– Geographically remote region applies as well
● For example: Pirates can render a ship “invisible” upon entering Somalia
![Page 30: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/30.jpg)
30
Frequency Hopping (DoS++)
![Page 31: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/31.jpg)
31
CPA Alerting
● Fake a CPA alert, Closest Point of Approach● Trigger a collision warning alert ● Possibly alter course
![Page 32: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/32.jpg)
32
CPA Alerting
![Page 33: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/33.jpg)
33
Malicious Weather Forecasting
![Page 34: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/34.jpg)
34
Slot Starvation (DoS++)
● Impersonate port authority ● Base station spoofing● Book TDMA slots
![Page 35: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/35.jpg)
35
Slot Starvation (DoS++)
● Base Station Spoofing
![Page 36: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/36.jpg)
36
Slot Starvation (DoS++)
● Victim's Console
![Page 37: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/37.jpg)
37
Timing Attack (DoS++)
● Instruct an AIS transponder to delay its transmission in time
● Default broadcast time:– Static reports = 6 min
– Dynamic reports = 0.5 to 3 min (depending on speed)
● Attack code:–
![Page 38: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/38.jpg)
38
Attack the Application Layer
● AIVDM (AIS) messages are – exchanged at RF;
– processed at application layer by back-end software
● Binary message, special type used for– Crew members
– Number of passengers– Environment information
● Malicious payloads, e.g. BOF, SQLi, …
![Page 39: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/39.jpg)
39
Example
● SQL Error in back-end processing
![Page 40: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/40.jpg)
40
Hardware Panic! (DoS)
● Flood the device... Noise on Channel + GPS
![Page 41: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/41.jpg)
41
Responsible Disclosure
● Experiments conducted without interfering with existing systems– Messages with safety-implications tested only in
lab environment (wired connections)
● We reached out the appropriate providers and authorities within time– MarineTraffic, AisHub, VesselFinder, ShipFinder
– ITU-R, IALA, IMO, US Coast Guards
![Page 42: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/42.jpg)
42
Proposed countermeasures
● Authentication– Ensure the transmitter is the owner (spoofing)
● Time Check– Avoid replay attack
● Integrity Monitoring– Tamper checking of AIS message (hijacking)
● Validity Check on Data Context– E.g., Geographical information
![Page 43: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/43.jpg)
43
Take Home
● AIS is widely used – Mandatory installation● AIS is a major technology in marine safety● AIS is broken at implementation-level● AIS is broken at protocol-level
● We hope that our work will help in raising the issue and enhancing the existing situation!
![Page 44: AIS Exposed - Black Hat | Home · PDF file3 Automatic Identification System AIS, Automatic Identification System Tracking system for vessels – Ship-to-ship communication – From/to](https://reader034.fdocuments.net/reader034/viewer/2022042611/5a7ca6187f8b9ae9398d0689/html5/thumbnails/44.jpg)
44
Thanks!
● Dr. Marco Balduzzi et al. – @embyte● Black Hat Asia, 27 March 2014, Singapore